|Anne,
After reading section 4 of http://dev.w3.org/2006/webapi/XMLHttpRequest/
which states, "excluding headers that case-insensitively match
Set-Cookie or Set-Cookie2" I feel closure over this issue.
Thank you so much for entertaining this conversation!
Vive HTTPOnly (and the w3c!)
- Jim
|*||*
Anne,
Thanks for your response and thought over this matter.
Perhaps we could make a compromise and change:
"Apart from requirements affecting security made throughout this
specification implementations */may/, at their discretion*, not expose
certain headers, such as headers containing HttpOnly cookies."
to
"Apart from requirements affecting security made throughout this
specification implementations /*should */not expose certain headers,
such as headers containing HttpOnly cookies."
Since implementors of XHR need to address this issue to truly honor
the security benefits of HTTPOnly, I would really like to see this in
the current XHR spec.
Thanks for entertaining this conversation,
Jim Manico
Aspect Security
On Mon, 07 Jul 2008 23:24:03 +0200, eric bing <[email protected]>
wrote:
Thanks Bjoern for laying out the reasoning here. I'm going to make one
more tilt at the windmill...
What I'm hearing from you and Anne is that you don't disagree with the
basic principle that XHR should not be able to be able to access
HttpOnly cookies. But rather that this spec is not the correct
place to
address this issue - because (I hope I'm restating these correctly)
1) It belongs in the (sadly non-existent) spec of cookies
2) It should be obvious to implementers
3) We can't list out all security implications - for various reasons
we'll miss some and weaken all security
I have to respectfully disagree with 2 - this was fixed for plain
javascript access to cookies, but the XHR portions were left out in in
IE6 and Firefox 2. For background on the Firefox fix - check out
https://bugzilla.mozilla.org/show_bug.cgi?id=380418
It seems that the solution to this specific issue is in fact
completely oblivious to httponly. That is, Cookie and Cookie2 can no
longer be set as request headers and Set-Cookie and Set-Cookie2
cannot be read as response headers. I'm therefore planning on
removing the httponly cookie note as it is no longer necessary.
